incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: [DISCUSS] Support for Intel TXT technology
Date Thu, 10 Jan 2013 19:25:39 GMT
I really hope people don't run the attestation server as a VM managed by ACS - that sounds
like an excellent way to shoot ones self in the foot…

On Jan 9, 2013, at 10:41 PM, Devdeep Singh <devdeep.singh@citrix.com> wrote:

> I would like to get some of the requirements cleared before working on the FS. There
were several assumptions made in the POC and they need to be clarified.
> 
> 1. CloudStack will have to talk to a attestation server to check if a host is trusted
or not. Is it correct to assume the attestation server; which can be a virtual appliance;
is not managed by CloudStack?
> 2. The trust relation between the attestation server and hosts will be established outside
the scope of CloudStack. CloudStack will just check with the attestation server whether a
host is trusted or not.
> 3. Intel attestation server is called Mt. Wilson. Anyone who is interested in using the
feature will have to setup the Mt. Wilson server and configure CloudStack to talk to it.
> 4. Mt. Wilson provides an API Client toolkit (jar files) for quick integration. I am
not sure how they are licensed, but if they are not compatible with apache license, this feature
will have be under 'nonoss'.
> 
> Regards,
> Devdeep
> 
>> -----Original Message-----
>> From: Animesh Chaturvedi [mailto:animesh.chaturvedi@citrix.com]
>> Sent: Thursday, January 10, 2013 2:48 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: RE: [DISCUSS] Support for Intel TXT technology
>> 
>> Sure Devdeep can provide the details
>> 
>>> -----Original Message-----
>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>> Sent: Wednesday, January 09, 2013 1:00 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: Re: [DISCUSS] Support for Intel TXT technology
>>> 
>>> On Wed, Jan 9, 2013 at 3:56 PM, Hari Kannan <hari.kannan@citrix.com>
>> wrote:
>>>> Hi Chip,
>>>> 
>>>> I will let Animesh comment on the IP/repo stuff - regarding the
>>>> other
>>>> 2 topics you raised
>>>> 
>>>> - I wouldn't claim code at a  "done" level yet - we did develop code
>>>> to a sufficient level to demo, but it would need some more work for
>>>> sure. It hadn't made it as part of any Citrix commercial product
>>>> either - it was developed, showcased but hasn't yet seen the light
>>>> of the day
>>> 
>>> Understood...  so perhaps there isn't a design document.  Perhaps the
>>> author of the code (not sure who it is) wouldn't mind adding some
>>> basic design elements to the FS wiki page.  That will help the
>>> community evaluate the inclusion of the donated code.
>>> 
>>>> - Regarding the XS part, it has been developed/tested only for XS -
>>>> however,
>>> the feature is not restricted for XS - in other words, unlike the host
>>> updates, which was meant to be for XS only, this feature eventually
>>> must support all hypervisors (or even baremetal servers) - at this
>>> time, it has been developed for XS only..
>>>> 
>>> 
>>> Excellent.  I'd like to see that reflected in the design / code as
>>> well, but glad to hear it was a consideration!
>>> 
>>>> Hari
>>>> 
>>>> -----Original Message-----
>>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>>> Sent: Wednesday, January 9, 2013 12:52 PM
>>>> To: cloudstack-dev@incubator.apache.org
>>>> Subject: Re: [DISCUSS] Support for Intel TXT technology
>>>> 
>>>> On Wed, Jan 9, 2013 at 3:44 PM, David Nalley <david@gnsa.us> wrote:
>>>>> On Wed, Jan 9, 2013 at 3:37 PM, Animesh Chaturvedi
>>>>> <animesh.chaturvedi@citrix.com> wrote:
>>>>>> This came in as I was following up on  action item from IRC today.
>>>>>> This
>>> feature is something that has already been developed before ACS 4.0
>>> and processes were formalized and also had been demonstrated in public
>>> forms such as in Intel Developers Forum last Sept but somehow missed
>> getting filed.
>>> Can we consider it as an exception and take it for 4.1.  I understand
>>> we are few days past cutoff,  I will ensure we are more diligent in future.
>>>>>> 
>>>>>> Animesh
>>>>> 
>>>>> 
>>>>> Is the code already in the repo? Or was it developed externally?
>>>>> 
>>>> 
>>>> Good question.  My previous email made the assumption that it was
>>>> not
>>> currently in the project repo, but I could certainly be mistaken.
>>>> 
>>>> -chip
>>>> 
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message